Overview

overview

10

Static

static

SecuriteIn...05.exe

windows7-x64

10

SecuriteIn...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-10-2022 07:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe

  • Size

    756KB

  • MD5

    91e64955817f4a2c4a1d39926ad0ebc3

  • SHA1

    705970ffaa5d04be9ad37c001430f58fddf79d28

  • SHA256

    adcb4cadc4a186f55ab40167534aba3f36f43d716f3a2742942bcf73c2db6668

  • SHA512

    e6649200a350cca0d6c7bfeab4ba2e65f763a76118e2f51c6de982340c8260d3e185773b24537b47d103ff56b7d1242f16e03b793c6078528f572136e0f5be90

  • SSDEEP

    12288:EmxK67awP//KF5ccBBWGc2YQ5QFIgwgBzj+H9qqFf3L0bJprfIq0cT4rpFnL+hQ:Ex6Ga//KF5+2l5Qig/N+H9qAuDI3ckzF

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

podzeye2.duckdns.org:4433

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4844
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fRnurKmGZs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4808
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fRnurKmGZs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8F9D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4604
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe"
      2⤵
        PID:2820
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe"
        2⤵
          PID:2084

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp8F9D.tmp
        Filesize

        1KB

        MD5

        02a26d600a334237ec8cebab6a504f44

        SHA1

        49a8c9632fe2f41e5fe281a12757ef2e3009b8d6

        SHA256

        8030c2b1960c89943fac2ae02a929c96636d42cee9fe850f6a01b47e02321c64

        SHA512

        0845a5c5c2513ab9320481d7aa66a691261342c602920b4ed650036c674114507ee2f5d0756fa9b9f4247ba24ac5f241588adccf7930ce6ddcf7b2dd16a7d29a

        Download Submit
      • memory/2084-150-0x0000000000400000-0x0000000000450000-memory.dmp
        Filesize

        320KB

        Download
      • memory/2084-149-0x0000000000400000-0x0000000000450000-memory.dmp
        Filesize

        320KB

        Download
      • memory/2084-147-0x0000000000400000-0x0000000000450000-memory.dmp
        Filesize

        320KB

        Download
      • memory/2084-145-0x0000000000400000-0x0000000000450000-memory.dmp
        Filesize

        320KB

        Download
      • memory/2084-144-0x0000000000000000-mapping.dmp
        Download
      • memory/2820-143-0x0000000000000000-mapping.dmp
        Download
      • memory/4604-139-0x0000000000000000-mapping.dmp
        Download
      • memory/4808-155-0x0000000007430000-0x0000000007AAA000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/4808-156-0x0000000006DE0000-0x0000000006DFA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4808-151-0x0000000005AE0000-0x0000000005AFE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/4808-138-0x0000000000000000-mapping.dmp
        Download
      • memory/4808-160-0x0000000007120000-0x000000000713A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4808-146-0x0000000004B30000-0x0000000004B52000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4808-159-0x0000000007010000-0x000000000701E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/4808-148-0x0000000004BD0000-0x0000000004C36000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4808-152-0x00000000060A0000-0x00000000060D2000-memory.dmp
        Filesize

        200KB

        Download
      • memory/4808-158-0x0000000007060000-0x00000000070F6000-memory.dmp
        Filesize

        600KB

        Download
      • memory/4808-161-0x0000000007100000-0x0000000007108000-memory.dmp
        Filesize

        32KB

        Download
      • memory/4808-142-0x0000000004D70000-0x0000000005398000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4808-157-0x0000000006E50000-0x0000000006E5A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4808-153-0x0000000073720000-0x000000007376C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/4808-154-0x0000000006080000-0x000000000609E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/4808-140-0x00000000021B0000-0x00000000021E6000-memory.dmp
        Filesize

        216KB

        Download
      • memory/4844-132-0x0000000000670000-0x0000000000732000-memory.dmp
        Filesize

        776KB

        Download
      • memory/4844-135-0x00000000050F0000-0x00000000050FA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4844-134-0x0000000005120000-0x00000000051B2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4844-136-0x000000000B1A0000-0x000000000B23C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4844-137-0x000000000B5B0000-0x000000000B616000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4844-133-0x00000000056D0000-0x0000000005C74000-memory.dmp
        Filesize

        5.6MB

        Download